Many common security techniques are based on outdated notions of enterprises having well-controlled and clearly defined perimeters. In such environments, firewalls were the primary security tool to protect computing resources within the enterprise. But in modern environments, applications are increasingly being hosted in cloud-based systems, rather than through on-premises infrastructure within an enterprise. Further, many users of computing devices are moving outside the perimeters of enterprises to perform their computing activities. Consequently, many legacy security techniques are not only costly, complex, cumbersome, and ineffective, but they also lead to security vulnerabilities.
Security approaches that rely on all users being within an enterprise perimeter create risks because they allow for unrestricted lateral movement by users within the enterprise. This includes connecting from computer to computer, to applications, and to other resources. Further, such approaches often require a hole in a firewall for outside communications, which is also a risk. Moreover, these approaches limit user freedom, movement, and productivity. They thus result in a poor user experience, require significant IT overhead within the enterprise, and lack visibility into users' actual use of applications.
Other existing security techniques are inadequate in terms of their usability, flexibility, security performance, and speed. For example, some techniques allow users to authenticate themselves through biometrics. Nevertheless, when biometrics alone are used, they are vulnerable in terms of attacks that duplicate biometric information or hashes of such information. Similarly, some techniques rely on the use of passwords. But passwords are also vulnerable to theft or duplication, and further require users to memorize them on a continuous and changing basis. Indeed, passwords are often the weakest link in a security regime. Passwords further require management and IT burdens. Other techniques attempt to authenticate users based on observed environmental factors or calculated risk factors, such as geographic location and user activity. Yet these techniques are prone to false positives and false negatives, and require complex sets of rules to implement. Further, none of these techniques can confirm the current physical proximity between a user, a computing device they are using, and a secured resource they are trying to access. At best, these techniques provide only partial information regarding such a proximity status.
Additional security vulnerabilities and disruptions occur when users needing to securely access devices, applications, files, data, or other resources have no network connection (e.g., because of air travel, lack of network coverage, network downtime, network failures, etc.) or a poor quality connection. When users anticipate a lack of a reliable network connection, they sometimes implement workarounds (e.g., storing sensitive documents or data locally, storing such materials on removable storage like USB drives, bypassing security requirements, etc.). This creates significant security gaps and vulnerabilities. On the other hand, when users wait until they have a reliable connection to access secure resources, this results in a loss of productivity, inefficiencies, and missed opportunities.
Additional security vulnerabilities arise from users keeping secure sessions open longer than needed or leaving the sessions unattended. For example, if a user opens a secure session with an endpoint application or other resource, the user may leave open an application (e.g., browser or other application) participating in the session after the user's activity in the session has ended. The longer the session remains open, the longer it is potentially vulnerable to attacks from third-parties (e.g., man-in-the-middle attacks). Further, sometimes a user will leave open a secure session when they have left their computing device (e.g., stepped away into another room, left the building, left their home, etc.), or will use the secure session while the computing device is in an insecure location (e.g., public area of a hotel, airport, train, coffee shop, etc.) and thus observable by other individuals. When an unauthorized person (e.g., attacker) gains access to the personal computing device, it can sometimes be difficult to trace their unauthorized actions back to the personal computing device they have compromised. Sometimes, the unauthorized use is only discovered after the attacker has completed an attack (e.g., impersonation of the rightful user, data theft, misuse of applications or other resources, corporate espionage, malware injection, etc.).
There are thus technological needs for systems and methods that more securely, flexibly, and quickly authenticate users seeking access to network-restricted resources. It would be advantageous for solutions to not rely on the presence of an agent running on an endpoint device in all situations. Further, it would be advantageous for such solutions to not require passwords or other authentication credentials that users must memorize or supply. It would also be advantageous to allow client devices to access controlled target network resources, following passwordless authentication, without directly connecting the client device to the target resources. In addition, it would be advantageous for such solutions to operate with various different types of identification and verification technologies and protocols. Such solutions may also advantageously utilize authentication techniques such as biometric recognition, voice recognition, body or movement sensing, and artificial intelligence techniques. It may also be advantageous for such solutions to be transparent to users of client devices, to the client devices they are using, or to target network resources they are accessing. Further, in situations where such solutions are implemented using an application (e.g., a mobile app), it may be advantageous to separate any confidential or biometric information about the user from the application itself, and instead store only public or non-sensitive user information in the app (e.g., name, title, contact information, etc.).
In addition, it would be advantageous for solutions to confirm the proximity between a user, their computing device, and a secured resource they are trying to access. By confirming the proximity between these entities, systems may more reliably determine that a user is who they purport to be. Further, it would be advantageous for such techniques to involve secret splitting, so that at least a portion of a secret needed for access control is provided to a computing device controlling access and another portion is provided to the user's personal computing device, such that a combination of the secret portions may enable access. In this manner, even if a malicious actor obtained one of the secret portions, they would not be able to access the secured resource because they would be lacking the other portion(s). According to such techniques, when implemented by a security service provider operating between the user and the secured resource, access control may also be guaranteed to run through the security service provider by requiring its intermediation, thus providing stronger levels of security.
In other embodiments, it would be advantageous to provide users access to secrets or access-protected resources (e.g., logging in to an operating system, running an application, accessing protected data, etc.) even when they have no network connection (or a weak connection). According to embodiments described herein, secrets (e.g., passwords, keys, tokens, certificates, hashes, etc.) may be stored securely on an endpoint device such that the secrets are inaccessible to a user without the user interacting with a separate auxiliary device to decrypt the secret. Through such techniques, even if an endpoint device (e.g., laptop, personal computer, tablet, etc.) is stolen, access to protected secrets on the device may be protected against theft or misuse.
Further techniques related to those discussed above include implementing security controls to limit the use or visibility of secure session applications. For example, embodiments discussed below advantageously utilize the real-time proximity between a personal computing device (e.g., mobile phone, tablet, laptop, etc.) and an endpoint resource with which they have an ongoing session, and perform a control action for the session when the proximity is determined to have been lost. The proximity may be determined using a variety of sensor data, such as wireless network strength, facial recognition, physical presence, activity in the secure session itself, biometric data, or a variety of other types of sensor data. If the physical proximity that was originally present (e.g., during authentication) between the personal computing device and the endpoint has been lost, control actions may be performed such as suspending or terminating the secure session, prompting the user to maintain the session, requiring supplemental authentication, generating an alert, minimizing a tab or window associated with the application, logging the user off of their operating system or machine, lowering or disabling privileges of the user, making the user's session read-only, or various other control actions. Additionally, the disclosed techniques allow for discovery of potential hostile takeovers of personal computing devices. When such potentially threatening activity is detected, similar control actions may be implemented to limit potential vulnerabilities arising from the suspected malicious action.